Digital World: Scamming the scammers

The latest major breach of data security - the theft of over a million resumes from the Monster.com job-finding site - shows just how low the criminal personality can go.

By DAVID SHAMAH

August 28, 2007 07:54

It's a case of the poor getting poorer, while the crooked get richer.
The latest major breach of data security - the theft of over a million resumes from the Monster.com job-finding site - shows just how low the criminal personality can go. Once upon a time, crooks had basic standards (http://tinyurl.com/2plw7v). But today's thieves couldn't shine the shoes of Capone and Luciano. The thieves that perpetrated the Monster.com scam took a special pleasure, it seems, in robbing the people who could least afford the loss - because they were an easy target.
Actually, this is a story that should concern anyone who has ever posted information in a public database, not just a resume site - including databases that purport to be secure from hackers. There are other, more old fashioned ways to get at data, as the Monster incident shows.
The story is notable not just for what happened, but what didn't: Monster, apparently, did not bother to reveal that its server had been compromised for several days. About 1.5 million resumes were accessed by the data thieves, who were able to get into a Monster.com server using apparently legitimate names and passwords, probably filched unknowingly from legitimate employers. The thieves then utilized a Monster service for employers that allows them to track down candidates for employment offers, using a rogue program to search and download the data. Thus, they were able to get the names, addresses, phone numbers etc. of over a million people, worldwide, who are or have recently been looking for a job.
What could one do with such information? According to http://tinyurl.com/3b4oue, some victims of the data theft received "job offers" that appeared to be legitimate, with one of the conditions of the job a requirement that employees have an account with the Bank of America - and that they supply the account details, if they wanted the job.
Now, savvy Web users would normally never send bank account information to an e-mail address, and it's likely that many of the recipients of these fake offers were sensible enough to question the requirement. But in any group, there are going to be individuals trusting (or naÃ¯ve) enough - or desperate enough, in the case of someone who has been out of work for awhile - to bite. However, since the thieves had correct information about the victim, they could tailor their request to make it seem perfectly kosher. The employer got their information from Monster, to which site they submitted their information, after all.
Spam and phishing messages these days are more sophisticated than ever - at least the ones that I get. Most of them are personalized, i.e. addressed to me by name (I read spam so you don't have to!). I haven't come across one that has any specific information about my personal life, but I have noticed that many of the "sent from" names and subjects of the messages reflect names in my local address book, or subject names of (legitimate) e-mail messages I have received. In some cases, the message subjects and/or sender names are legitimate enough to get me to click on the message before it gets filed in the junk folder by my e-mail program's filters.
Repeated checks of my computers show that there are no active trojans and/or viruses that could be lifting information off my computer (in fact, I use a Mac to download my mail, so I know there are no rogue programs checking my data).
In other words, it's not like there's a piece of spyware on my computer polling my inbox, looking for e-mails that don't get filtered out and copying the data on subject and user name to a remote server, which then applies that information to spam in the hope that the junk messages look legitimate enough for me to open. But clearly there is a "leak" somewhere, because the names/subject name of the messages are too good, too often for it to be a "shot in the dark." If the leak isn't on my PC, that must mean its on the server (although of course my ISP would never admit to such a thing).
Seen through the prism of the Monster.com incident, I now have a plausible explanation for this strange and heretofore very puzzling phenomena.
The US Federal Trade Commission has a list of suggestions of steps you can take to avoid being a victim of a phishing scam (http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt127.pdf), most of them basic, common sense ideas. But of course, a situation like the Monster.com incident isn't within the realm of possibility in this document; clearly it will have to be revised. Which means that until the relevant agencies come up with solutions and suggestions to deal with this kind of data theft, which generates legitimate and authentic looking messages that recipients could easily believe to be "the real thing."
So what to do? What if you were looking for a job and got a message requiring "confirmation" of information the site already seems to have - especially as part of a job application? Or if you were asked to resubmit a credit card number for a product you had already ordered?
The solution, it seems to me, is to assume in advance that you are going to be ripped off and/or a phishing attempt is going to be made on you, and that your money and/or credit card information is going to be the final objective of the scam. To that end, you should consider using a "drop box" address or a P.O. Box address as the one you receive your snail mail at. The benefit of a move like that would be to remove your name and credit card number's association from your address; usually, if a merchant can't confirm your address at the time of the purchase, the credit card company will reject it.
The same goes for your ID number (teudat zehut), Social Security number, driver's license number, or other government-issued identification number; when asked for a confirmation (the message will ask you for the number, not present you with the number and ask for an affirmation), give one that's a few digits "off" - like an 8 instead of a 3. Again, without the correct number, they can't get at your money, if indeed you're the victim of a scam. And if it turns out to be a legitimate message, you can always chalk up the error to a "typo." It also can't hurt to have a "disposable" e-mail address (pick a service provider from http://tinyurl.com/youhjr). Messages to that mailbox can be forwarded to your regular inbox, with the sender none the wiser; and if you use a disposable address, it becomes harder for the scammer to match up your name with other details s/he may be searching for across multiple databases, since you will appear as a "different" person.
See? You, too, can use the Internet to scam someone - in this case, the people who really have it coming. Why should the bad guys have all the fun?
http://digital.newzgeek.com

Sites Of Interest

The Jerusalem Post Customer Service Center can be contacted with any questions or requests:
Telephone: *2421 * Extension 4 Jerusalem Post or 03-7619056 Fax: 03-5613699E-mail: [email protected]
The center is staffed and provides answers on Sundays through Thursdays between 07:00 and 14:00 and Fridays only handles distribution requests between 7:00 and
13:00
For international customers: The center is staffed and provides answers on Sundays through Thursdays between 7AM and 6PM
Toll Free number in Israel only 1-800-574-574
Telephone +972-3-761-9056
Fax: 972-3-561-3699
E-mail: [email protected]